Description
A flaw was found in Apicurio Registry. The DocumentBuilderAccessor correctly blocks external DTD and schema access but does not disable DOCTYPE declarations or enable FEATURE_SECURE_PROCESSING. An attacker with artifact-write permission can upload XML documents with internal entity-expansion payloads (billion-laughs variant) that cause CPU and heap exhaustion, partially mitigated by the JAXP default 64,000 entity-expansion limit.
Published: 2026-06-25
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in Apicurio Registry’s artifact‑write permission to submit XML payloads that contain internal DTD entity expansions. The lack of external DTD blocking and of FEATURE_SECURE_PROCESSING allow high‑volume entity tests such as the "billion‑laughs" variant to consume excessive CPU and heap, eventually rendering the registry service unreachable. This weakness is identified as CWE‑776.

Affected Systems

The vulnerability applies to the Red Hat build of Apicurio Registry 3. No specific sub‑versions are listed beyond the major release, so any deployment matching the Red Hat build of Apicurio Registry 3 is potentially impacted.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. Because the EPSS value is missing, the exact likelihood of exploitation is unclear, yet the presence of a write permission requirement keeps the attack vector realistic for environments where users can upload artifacts. The vulnerability is not included in the CISA KEV catalog, but the absence of DTD restrictions means that internal entity abuses can still succeed consumption and possible service outages.

Generated by OpenCVE AI on June 26, 2026 at 00:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑released patch or upgrade to a later Apicurio Registry release that disables DOCTYPE processing or enables FEATURE_SECURE_PROCESSING.
  • If a patch is not available, limit artifact‑write permissions to trusted users and consider rejecting XML uploads that contain DOCTYPE declarations.
  • to enable FEATURE_SECURE_PROCESSING and lower the entity expansion limit from the default 64,000 to a stricter value to curb potential future exploitation.

Generated by OpenCVE AI on June 26, 2026 at 00:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 25 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in Apicurio Registry. The DocumentBuilderAccessor correctly blocks external DTD and schema access but does not disable DOCTYPE declarations or enable FEATURE_SECURE_PROCESSING. An attacker with artifact-write permission can upload XML documents with internal entity-expansion payloads (billion-laughs variant) that cause CPU and heap exhaustion, partially mitigated by the JAXP default 64,000 entity-expansion limit.
Title Apicurio/apicurio-registry: apicurio-registry: xml entity-expansion denial of service via internal dtd subset
First Time appeared Redhat
Redhat apicurio Registry
Weaknesses CWE-776
CPEs cpe:/a:redhat:apicurio_registry:3
Vendors & Products Redhat
Redhat apicurio Registry
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Redhat Apicurio Registry
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-25T23:23:20.902Z

Reserved: 2026-06-23T12:18:15.412Z

Link: CVE-2026-12993

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-10T13:00:00Z

Links: CVE-2026-12993 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T01:00:06Z

Weaknesses
  • CWE-776

    Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')